Previous Thread
Next Thread
Print Thread
Hop To
Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
Got the following mutliple ID alert this morning:

"A user from the IP 222.1.43.10 has logged in to the following accounts: Administration, barthold"

Firstly, "Administration" is member #2, which I believe was the original username used to setup the software many moons ago...but the IP addys listed under that name simply show the 127.0.0.1, which iirc, was changed to all users during an update/import several versions ago.

A quick google of barthold's email (nothingdif@gmail.com) pops up on the "stop forum spam" list, with the same username/email (but different IP) as was registered at our site.

So, can anyone explain how/why I got the alert? Is this user definitely a spammer? Do I need to boot/ban him, and do something with the "Administration" account?


www.yenko.net
UBB.Threads 7.5.5
Joined: Jan 2008
Posts: 514
addict
Offline
addict
Joined: Jan 2008
Posts: 514
Not sure if it is a spammer or not, however I would probably change the admin password as soon as I could just in case.

Admin's usually don't use that default admin (or shouldn't be imo) so changing the password should not affect legitimate admins on your site.

Dunny

Joined: Apr 2007
Posts: 3,940
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,940
thats a hack attempt and can be very serious... you need to address the issue and change passwords for Administrator..

also i'd really change the login name for all admins to NOT be same as display name..

that's my #1 rule for all admins..

look @ your ubb admin log for suspicious activity..

Joined: Aug 2010
Posts: 103
R
member
Offline
member
R
Joined: Aug 2010
Posts: 103

We have switched to cPanel and have started getting reports of hacker attempts. We only get the IP address, which isn't enough, so I am gonna start a new suggestion thread on cPanel to report what user name was attempted and password used in each attempt.

As SD has said, this is serious. You might want to prowl around in your use group and make sure that the one who broke into your system didn't leave anything behind as a back door in case you discovered what they had done.

Larry
www.marriageadvocates.com

Joined: Oct 2009
Posts: 20
B
stranger
Offline
stranger
B
Joined: Oct 2009
Posts: 20
A couple of weeks ago we also had small hack. Our site was closed and had a "hacked by 'some hackuser name'" message on the offline-page. All admin's changed their password (also for ftp-acces). A couple of weeks later our ftp-root was empty after another hacking attempt. If you (sirdude) want to have the logs on this hacking attempt you can mail me. We still don't know where he came in, but since then we have an extra password (via helm control panel) on our admin-directory.

btw: we now have the latest ubb bug/security-fix installed

Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
Originally Posted by Sirdude
thats a hack attempt and can be very serious... you need to address the issue and change passwords for Administrator..

also i'd really change the login name for all admins to NOT be same as display name..

that's my #1 rule for all admins..

look @ your ubb admin log for suspicious activity..

Dumb question, but is it possible to change one's username? Having had the same username across several sites for over a decade now, I'd hate to change my display name, and I would be the other admins will object as well...


www.yenko.net
UBB.Threads 7.5.5
Joined: Jun 2006
Posts: 16,185
Likes: 102
UBB.threads Developer
Offline
UBB.threads Developer
Joined: Jun 2006
Posts: 16,185
Likes: 102
You could by database diving... Not sure why this isnt in the control panel though...


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
Joined: Dec 2003
Posts: 6,467
Likes: 70
Offline
Joined: Dec 2003
Posts: 6,467
Likes: 70
Originally Posted by Gizmo
You could by database diving... Not sure why this isnt in the control panel though...
You know in light of what has recently happened with the release of the security patch. It should be a option to request and have changed just like the change display name process works.
Then a user could keep the display name or vise versa.
Maybe SD will read this.


Blue Man Group
There is no such thing as stupid questions. Just stupid answers
Joined: Jun 2006
Posts: 81
M
member
Offline
member
M
Joined: Jun 2006
Posts: 81
Ruben,

I agree, an option for any forum member to change their User name (as opposed to Display name) would be a nice added feature. This is something that need not be subject to any admin/moderator approval.

It would allow for those who created an account with the same user/display name to think better of it and introduce a little added security.




Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
Just a quick heads up: looks like the security breach added some ads to our forum:

http://www.yenko.net/ubbthreads/ubbthreads.php?ubb=showflat&Number=461721&page=2



www.yenko.net
UBB.Threads 7.5.5
Joined: Jun 2006
Posts: 1,344
G
veteran
Offline
veteran
G
Joined: Jun 2006
Posts: 1,344
Contact Giz, he'll be able to help clean your site up wink

Joined: Apr 2007
Posts: 3,940
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,940
yah you were hacked prior to the security breach -- you will need someone with shell access to fix it

who is your host?

Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
BTW: can anyone tell me where that banner is being called from within UbbT? Is that area from the templates, possibly?


www.yenko.net
UBB.Threads 7.5.5
Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
Here's what pops up in the source:
Code
<div align="center">
<script type="text/javascript"><!--
google_ad_client = "pub-9330396700047182";
/* 728x90, ´´½¨ÓÚ 11-9-22 */
google_ad_slot = "3985911273";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">

</script>


www.yenko.net
UBB.Threads 7.5.5
Joined: Jun 2006
Posts: 1,344
G
veteran
Offline
veteran
G
Joined: Jun 2006
Posts: 1,344
It should be in showflat.tpl. But as SD said, you will need someone with shell access to find the new hidden files that will add this back after you remove it.

Joined: Apr 2007
Posts: 3,940
SD Offline
Former Developer
Offline
Former Developer
Joined: Apr 2007
Posts: 3,940
yah, that is the problem

here is what happens.. pre security patch, the hacker leaves backdoors, so he really doesn't need ubb anymore to get in.

he goes away and tries other sites.

comes back and deposits more 'goodies'

so you'll need shell to find the CAUSE and not just treat the SYMPTOMS

wink

Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
Originally Posted by gliderdad
It should be in showflat.tpl. But as SD said, you will need someone with shell access to find the new hidden files that will add this back after you remove it.
LOL, now ya tell me! I found it right after I posted above, but thanks for the confirmation!

Just as a note to myself, here's the code that was dumped in the header:

Code
<div align="center">
<script type="text/javascript"><!--
google_ad_client = "pub-9330396700047182";
/* 728x90, ´´½¨ÓÚ 11-9-22 */
google_ad_slot = "3985911273";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</div>

Footer dump:

Code
<div align="center">
<script type="text/javascript"><!--
google_ad_client = "pub-9330396700047182";
/* 728x90, ´´½¨ÓÚ 11-9-22 */
google_ad_slot = "3985911273";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</div>
BTW: anyway to track back these guys via GoogleAds? Would they tell us who was getting paid for them??

Last edited by Chevy454; 09/30/2011 11:20 AM.

www.yenko.net
UBB.Threads 7.5.5
Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
Anyone know of a way to track back via the google ad client #(pub-9330396700047182)?


www.yenko.net
UBB.Threads 7.5.5
Joined: Jun 2006
Posts: 106
member
Offline
member
Joined: Jun 2006
Posts: 106
https://www.google.com/adsense/support/bin/answer.py?answer=18386

Though, they aren't likely to provide any info to you, only law enforcement.

Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
Yeah, I ran across that earlier and filled out the info, but a quick Google(!) search reveals that it doesn't seem anyone ever receives a reply from Google regarding this issue...so I was hoping someone knew of a better way, lol!

And the folks at Google AdSense don't do phone calls, either...unless you consider a looped recording a "resolution". mad


www.yenko.net
UBB.Threads 7.5.5
Joined: Jan 2005
Posts: 72
C
journeyman
OP Offline
journeyman
C
Joined: Jan 2005
Posts: 72
BTW: a big THANK YOU to everyone here for the help with this issue, especially Sir Dude!


www.yenko.net
UBB.Threads 7.5.5

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
You've already posted
by Baldeagle - 08/06/2022 1:12 PM
Default Group(s) for New Members
by Morgan - 08/02/2022 10:54 AM
Webhook to DISCORD
by TGCsanderson - 08/01/2022 6:42 AM
Is it possible to restore a single forum from backup?
by Baldeagle - 07/19/2022 1:18 PM
Who's Online Now
1 members (AllenQ33), 73 guests, and 73 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 7.7.5